What is Istio Ingress Gateway?

The Istio Ingress Gateway is a component of the Istio service mesh that provides ingress traffic management for applications running within the mesh. It is responsible for controlling the flow of incoming and outgoing network traffic to and from the mesh, and can be configured to provide features such as load balancing, SSL termination, and authentication. 

The Ingress Gateway acts as a single entry point for all incoming traffic, routing it to the appropriate service within the mesh based on the incoming request. This allows Istio to provide a consistent, high-performance traffic management layer across all the services in the mesh.

The history of Istio’s traffic management APIs

Istio is an open source project that was originally developed by Google, IBM, and Lyft. It provides a number of APIs for managing and securing microservices, including APIs for traffic management. The traffic management APIs allow administrators to control the routing of traffic within the mesh, as well as perform tasks such as request rate limiting, fault injection, and traffic splitting.

Istio’s traffic management APIs have evolved over time, with new features and capabilities being added in each release. Some of the key milestones in the development of Istio’s traffic management APIs include:

  • In Istio 1.0, the initial version of the traffic management APIs was introduced, including support for routing rules and traffic shifting based on HTTP headers and other request attributes.
  • In Istio 1.5, support for traffic mirroring was added, allowing administrators to send a copy of incoming traffic to a separate service for testing or other purposes.
  • In Istio 1.7, support for traffic shadowing was added, allowing administrators to send a copy of incoming traffic to a separate service without affecting the original traffic.
  • In Istio 1.9, support for weighted routing was added, allowing administrators to specify the percentage of traffic that should be sent to each service in a traffic splitting configuration.

Istio is an actively developed project, and new features and capabilities are regularly added to the traffic management APIs and other components of the platform.

Istio gateways

In Istio, a gateway is a Kubernetes resource that defines a load balancer that operates at the edge of the mesh, receiving incoming requests and forwarding them to the appropriate service within the mesh. There are two types of Istio gateways:

Ingress gateway 

An Ingress gateway is a load balancer that handles incoming HTTP and HTTPS traffic to the mesh. It can be used to expose services to the internet, or to enable communication between services within the mesh. The Ingress gateway is implemented using a Kubernetes gateway resource and a set of Envoy proxy instances.

Egress gateway 

An Egress gateway is a load balancer that handles outgoing traffic from the mesh to external services. It can be used to enable communication between services within the mesh and external services, or to perform tasks such as TLS termination or request rate limiting on outgoing traffic. Like the Ingress gateway, the Egress gateway is implemented using a Kubernetes gateway resource and a set of Envoy proxy instances.

Istio gateways are configured using gateway resources and VirtualService resources, which define the routing rules for incoming and outgoing traffic. They can be used in combination with other Istio features, such as service mesh policies and service mesh telemetry, to provide a comprehensive platform for managing and securing microservices.

Tutorial: Configuring Istio Ingress Gateway

Here is a high-level tutorial on how to configure the Istio ingress gateway:

  1. First, make sure that you have Istio installed and running on your Kubernetes cluster. You can use the Istio installation guide to set up Istio if you haven’t already done so.
  2. Next, create a Kubernetes Service and Deployment for your application, and make sure that they are properly labeled so that Istio can identify and route traffic to them.
  3. Create an Istio VirtualService resource that routes traffic to your application’s service. This resource is used to configure the routing rules for incoming traffic to your application. The following is an example of a simple VirtualService resource:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
  name: my-application
  - "*"
  - my-ingress-gateway
  - match:
    - uri:
        prefix: /my-application
    - destination:
        host: my-application-svc
          name: http
  1. Create an Istio Gateway resource that defines the ingress gateway for your cluster. The Gateway resource tells Istio what ports to open for incoming traffic and what protocols to use for the traffic.
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
  name: my-ingress-gateway
    istio: ingressgateway
  - port:
      name: http
      number: 80
      protocol: HTTP
    - "*"
  1. Finally, apply the resources to your cluster.
kubectl apply -f my-virtual-service.yaml
kubectl apply -f my-ingress-gateway.yaml

Kiali ingress gateway

Image Source: Istio

  1. You can check the namespace graph in Kiali and see if the traffic is being routed as per your configurations. If you find any issues, you can use the Kiali console to debug.
  2. Once you’ve set up Istio Ingress Gateway, it should be able to handle all requests. As a good practice, it is recommended to delete the Kubernetes Ingress resource because it could conflict with Istio and cause routing issues.

Istio Ingress Gateway with Gloo Mesh / Gloo Gateway

Solo Gloo Platform delivers a unique, integrated architecture, which brings together Istio Service Mesh, advanced multi-cluster management, and API Gateway functionality. This enhances the default Istio Ingress Gateway functionality with robust routing, security, and high availability. 

Learn more about Gloo Platform.